[bug] assetScope is inconsistent between absolute and relative paths

[Elanis]

Describe the bug

(Report after discussion on Discord with @FabianLars and @lucasfernog)

When using relative paths with assets protocol in the current tauri version, you need to explicitly specify paths to have files whitelisted. Indeed, when using absolute path, you use glob patterns:

/home/myUser/myapp/* => Works for every file in this folder
/home/myUser/myapp/myimage.png => Works for this specific file

But when using a relative to binary path, glob doesn't work

mySubfolder/* => 403 for every file in this folder
mySubfolder/myimage.png => Works for this specific file

There are possible workaround e.g.:

• Specifiying every file manually inside assetScope array
• Adding the folder at runtime

Reproduction

1. Create an empty app
2. Enable asset protocol
3. Specify CSP to allow asset URL
4. Put the picture inside the subfolder (in debug CLI, this folder will be relative to src-tauri/, in release mode relative to .exe file)
5. Add this picture to html body (using convertFileSrc to get asset.localhost or asset:// url)
6. Reproduce both scope configuration to notice the bug

Expected behavior

No response

Platform and versions

Environment › OS: Windows 10.0.22621 X64 › Webview2: 108.0.1462.54 › MSVC:

• Visual Studio Build Tools�2019 › Node.js: 16.17.1 › npm: 8.15.0 › pnpm: Not installed! › yarn: Not installed! › rustup: 1.24.3 › rustc: 1.63.0 › cargo: 1.63.0 › Rust toolchain: stable-x86_64-pc-windows-msvc

Packages › @tauri-apps/cli [NPM]: 1.2.2 › @tauri-apps/api [NPM]: 1.2.0 › tauri [RUST]: 1.2.2, › tauri-build [RUST]: 1.2.1, › tao [RUST]: 0.15.8, › wry [RUST]: 0.23.4,

App › build-type: build › CSP: default-src 'self'; img-src 'self' asset: https://asset.localhost › distDir: ../dist › devPath: http://localhost:1420/ › framework: React › bundler: Vite

App directory structure ├─ .git ├─ .github ├─ dist ├─ node_modules ├─ public ├─ src └─ src-tauri

Stack trace

No response

Additional context

No response

[lucasfernog]

I'm trying to reproduce this with the API example. So I modify the configuration to allow "src/lib.rs" on the allowlist scope. Then I run fetch(window.__TAURI__.tauri.convertFileSrc('src/lib.rs')).then(console.log) and it gives me a 403 since we canonicalize the path before checking if it's allowed. So relative paths shouldn't work at all. Can you share a repo I can use to see what you've done?

[Elanis]

Here's a minimal example: https://github.com/Elanis/tauri-5896-example

If you replace assetScope "assets/img/achievements.png" by "assets/img/*" for example, it doesn't work anymore

[lucasfernog]

So I think this is only an issue on Windows, on macOS it always gets rejected. The fallback here might be the problem. I can check this after the holidays, I don't have Windows access right now.

[Elanis]

Thanks for the investigation ! Indeed, I didn't try on Linux or MacOS, might be Windows only.

[lucasfernog]

Specifying the relative path assets/img/achievements.png in the scope works because we canonicalize the path, and since it exists it will return the absolute form of it, which can be matched against the path given in the asset protocol. In this case, this is the scope:

Scope { allowed_patterns: ["\\\\?\\C:\\Users\\username\\projects\\tauri\\tauri\\tauri-5896-example\\src-tauri\\assets\\img\\achievements.png", "assets\\img\\achievements.png"], forbidden_patterns: [] }

When we change the scope to allow assets/img/*.png, the *.png file does not exist in that folder, so the scope is different:

Scope { allowed_patterns: ["\\\\?\\assets\\img\\*.png", "assets\\img\\*.png"], forbidden_patterns: [] }

We should either block relative paths from the scope (I believe this was a concern raised by @tweidinger but we didn't handle this case) or prepend the CWD path in the scope so instead of \\\\?\\assets\\img\\*.png it would be \\\\?\\C:\\Users\\username\\projects\\tauri\\tauri\\tauri-5896-example\\src-tauri\\assets\\img\\achievements.png.